Flame, Stuxnet Malware Creators Worked Together, Researchers Say

New evidence uncovered by Kaspersky Lab indicates code was shared between Flame and an early version of Stuxnet. The code-sharing shows the creators of the malware collaborated early on, before going their separate ways in 2010, researchers say.

Researchers at Kaspersky Lab have found what they believe is a direct link between Flame and the Stuxnet malware that was discovered targeting uranium centrifuges at Iran's nuclear facilities.

According to Kaspersky, the main module in Flame contains code similar to what was found in an early iteration of Stuxnet. The discovery is significant, as many have questioned whether or not there was a connection between Stuxnet, Duqu--also considered linked to Stuxnet--and Flame.

As it turns out, the first version of Stuxnet, referred to by Kaspersky as Stuxnet.A, appeared in June 2009 and differed greatly from later variants. The 2009 version, for example, did not use the MS10-046 LNK file vulnerability to propagate, but used a special trick with the autorun.inf file to infect USB drives. The 2009 version also only had one driver file, whereas the 2010 versions had two.

The most significant change, however, involves something called "resource 207," a 520,192-bit DLL file that was dropped altogether in 2010 when its code was merged into other modules.

"Resource 207's main functionality was to ensure Stuxnet propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability in win32k.sys to escalate privileges in the system at the stage of infection from USB drive," explained Alexander Gostev, head of the Global Research and Analysis team at Kaspersky.

"Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common," Gostev noted.

Inside Resource 207 is a portable executable (PE) file that is actually a Flame plug-in, or more precisely, a proto-Flame module that has "obviously a lot in common" with the current version of its main module, mssecmgr.ocx, Gostev added.

This shared code, said Kaspersky Senior Virus Analyst Roel Schouwenberg, proves that there is a direct link between the pieces of malware and that there was early collaboration between their creators.

"I think when it comes to source code, it s much less likely that you share your source code without knowing why. You don't just share that with anyone," he said.

Recently, a report in The New York Times featured several sources stating President Barack Obama ordered the use of cyber-attacks against Iran. The efforts, built on plans created during the administration of former President George W. Bush, were aimed at derailing Iran's nuclear program.